Encrypting DNS Traffic (and why you want to)

Prevent your ISP and others from collecting information about what websites you visit by encrypting your DNS traffic.

UPDATE (25-Jan-2020): This article is largely obsolete but i'm keeping the page alive because i intend to rewrite it at some point. One of the items i want to add is how to set up DNS over TLS on your network router so that all devices that connect to your network can benefit from private and encrypted DNS resolving.

UPDATE (26-Jan-2018): If you use a Virtual Private Network (VPN) you do not necessarily need to worry about encrypting your DNS traffic as long as a), your VPN offers a DNS service and b), you trust them. The other primary advantage of using a VPN is that, like Tor, all of your internet traffic between you and the VPN exit node is encrypted, meaning neither your ISP nor anyone else should be capable of monitoring it. Yes, a VPN is yet another expense and as much as i dislike paying more to access the web on top of what my ISP charges, it doesn't cost much and i can't see myself ever going back to not using one.

The problem...

DNS -- Domain Name System -- is the service responsible for converting a domain name, such as '12bytes.org', to an IP address that is understood by computers routing internet traffic. The DNS server(s) that you are currently accessing to convert domains to IP addresses are configured in the properties of your network adapter, each adapter having its own DNS configuration, or perhaps your router or modem.

DNS is a weak link in the internet chain because this traffic is most often unencrypted and open to man-in-the-middle (MITM) attacks, even when visiting an encrypted (https) website. An attacker can easily set up their own DNS server and, using a little social engineering and/or malware, convince you to change your current DNS server, or change it without your knowledge, to the one controlled by the attacker. One possible result is that you could visit 'your-bank.com' but actually land on a forged website that may look exactly like the authentic one and thus there would be no cause for alarm while you log on with your user name and password, which would then be in the hands of the attacker. I am quite sure the tactic of DNS spoofing is used by law enforcement as well.

Lastly, i wrote this tutorial while using Windows and have since switched to Linux. A tutorial for the Debian flavors of Linux can be found here.

The solution...

Securing your DNS traffic is easy using DNSCrypt (don't download the client from the OpenDNS page). If you're not afraid of the command-line and wish to keep the process as efficient as possible, i would suggest reading the article How to Encrypt Your DNS for More Secure Browsing by How-To Geek. If you prefer a point-and-click approach however, along with a nice GUI for controlling DNSCrypt and selecting your DNS server, here's how to install and configure Simple DNSCrypt:

If you have another version of DNSCrypt installed, uninstall it first. If there is no uninstaller, then run the following command:

dnscrypt-proxy --uninstall

Next, download Simple DNSCrypt from the authors site and install the .msi package. The GUI to configure the DNSCrypt client should start automatically after the installation is complete. Configuring the DNSCrypt client is easy:

  1. Enable DNSCrypt for your network adapter.
  2. Select a DNS service.
  3. Enable the Primary DNSCrypt Service. If the service does not start, try disabling DNSCrypt for your adapter and then enabling the service. Note that the Secondary Resolver settings are disabled because this feature is not completely implemented at the time of this writing.
  4. In the 'Advanced Settings' you can download a fresh copy of the DNS resolvers list and by clicking the 'Plugins' button you can disable IPV6.
  5. Open port 443 in your firewall to allow outgoing UDP traffic for dnscrypt-proxy.exe if you need to.
  6. If you installed the 'dnscrypt-proxy' service, you can exit the Simple DNSCrypt GUI, otherwise it will need to be left running.
Simple DNSCrypt configuration for Windows

Verify DNSCrypt is working...

Windows 7 Network Connection Dialogs
Windows 7 network connection settings

To verify that everything is working, check the properties for your network adapter and make sure the primary DNS server is set to 127.0.0.1 and that the secondary server is empty as seen in the screen-shot. If it is not, make it so. Next, try visiting a website to make sure everything is working.

If necessary, reboot your machine or flush the Windows DNS cache by opening a command prompt and entering: ipconfig /flushdns , then load a web page to ensure DNSCrypt is working.

If you're wondering about the default Windows 'DNS Client' service, leave it running. You can also leave in place any firewall rules for DNS look-ups on port 53 to enable easy switching of the DNS servers in your network adapter for troubleshooting purposes.

At this point i'm not entirely sure what happens with DNS caching, but it appears that a query is sent with every request, which is not optimal. I hope to write more about this after i figure out exactly what is happening in this regard.

Tech

Cool Android Apps

A handful of cool and useful free, mostly open source Android apps...

I like to fool around with my electronic devices to learn about them and my Android powered smartphones are always victims of my curiosity. Upon entering the smartphone world, i soon found myself installing custom ROMs, tweaking various things and looking for apps to replace the functionality of all of the Google apps which i remove (i hate Google for a number of reasons).

Since neither the Google Play Store nor the Google Services Framework exist on my devices, i began looking for alternative repositories and i quickly discovered F-Droid which is a great resource for (mostly) free, open source, ad-free Android apps that are compiled from source by the F-Droid team. Compiling from source is important because it guarantees that the compiled app contains nothing more than what is in the publicly available source code.

Before you get started installing apps from F-Droid you will need to enable the installation of apps from unknown sources if you haven't already done so. I'm sure some might see this as a major no-no, to which i would reply that, out of 27 repositories tested in a 2017 independent study, including the Google Play Store, F-Droid was the only one in which no instances of malware were found. While the number of instances of malware in the Play Store was low, understand that the privacy aspect of those apps was not considered and this is perhaps the greatest concern with Play Store apps. Also see:

If you still have concerns about using the F-Droid app repository, i suggest reading Android Markets: How safe are alternative sources?.

F-Droid does not require you to create an account to access their repository and once the F-Droid client app is installed, which makes it super easy to browse their repo, it will notify you when an update is available for any app which was installed using it. The selection of apps isn't exactly massive at the moment but it is probably adequate for most people and it is constantly growing. They also have an active community forum where members can suggest new apps. Other places to look for apps are GitHub, XDA Developers, AndroidCentral and the Google developers websites.

Following are some of my favorite apps for Android devices. Keep in mind that if you download these apps without using the F-Droid client, you may not be made aware of updates. It is therefore recommended to install the F-Droid client app first and install your apps using it.

F-DroidThe F-Droid client app provides easy device access to the F-Droid repositories for open source Android apps. Unless you want to install the compiled apk files directly, which i don't recommend because you will not be informed of updates, you will need the F-Droid client. F-Droid @ F-Droid.

 

AdAwayAdAway is a compact and effective ad blocker which uses less resources than AdBlock+ because it leverages the hosts file, however this requires you have root privileges. Updating the host file can be done manually or automatically. AdAway @ F-Droid.

 

AFWall+AFWall+ provides a GUI to easily manipulate the Linux iptables firewall. AFWall+ comes packaged with the iptables and BusyBox binaries and requires root privileges to run. Note that there is a donate version which unlocks a few extra features, such as logging. If you don't wish to get the donate key at the Google Play Store, contact the AFWall+ developer to see what options he may offer. AFWall+ @ F-Droid.

 

Amaze file browserAmaze is a really nice file manager with an intuitive and attractive interface. It includes an FTP server which allows you to browse the file system over your network. Root privileges will be required if you want to browse the entire file system. Amaze is pretty powerful, but If you need something even more powerful, try Ghost Commander below. Amaze @ F-Droid.

 

Barcode ScannerBarcode Scanner supports many barcode types as well as QR codes and it seems to be pretty good at what it does. Barcode Scanner @ F-Droid.

 

BubbleBubble is a simple, handy app for leveling things and measuring angles in different ways. It is no longer maintained and can be a bit buggy, but it's the best app of its type i could find on F-Droid and it works well enough. Bubble @ F-Droid.

 

Simple CalendarCalendar is part of a suite of open source apps by Simple Mobile Tools. Calendar works offline without having to share your data with a 3rd party. It provides what you would expect from a typical calendar app and does so in a visually pleasing way. There are plenty of settings to customize the interface to your liking. Simple Calendar @ F-Droid.

 

Call RecorderCall Recorder simply records both incoming and outgoing calls and offers several options for doing so, though an option to selectively record calls via a simple choice when a call is placed or received is not one of them unfortunately. The developer tells us that most phones will not support call recording, so don't blame Call Recorder if it bombs. I would also venture a guess that it may not work on devices that are running an OEM version of Android. Call Recorder @ F-Droid.

 

DrawDraw is part of a suite of open source apps by Simple Mobile Tools. Draw is a bare-bones app that lets you draw stuff. I find it useful when i have a spur of the moment design idea and no paper. Draw @ F-Droid.

 

ForecastieForecastie is a simple weather forecast app that works off-line and pulls weather information from OpenWeatherMap. It provides a fairly detailed forecast in text form for the current day, as well as an extended forecast. Forecastie does not display a radar weather map, so if you want that functionality you might try wX below. Forecastie @ F-Droid.

 

Ghost CommanderGhost Commander is a powerful, feature packed and polished file manager for Android, however you will need root access to take full advantage of. It can be extended even further with plugins. If you don't need all the functionality that Ghost Commander provides, try Amaze above. Ghost Commander @ F-Droid.

 

KeePassDroidKeePassDroid is a great little password manager for storing all your passwords, log-on credentials or private text snippets. It is compatible with the KeePass Password Safe database files. One caveat that should be mentioned here is that the base-band OS (radio firmware) on all smartphones is proprietary and apparently has low-level access to the keyboard, so i wouldn't suggest storing any super important passwords on any device that has a cellular modem, Android or otherwise, especially if you are a journalist or activist. KeePassDroid @ F-Droid.

 

Music PlayerMusic Player is yet another open source app from Simple Mobile Tools. It has all the basic functionality you'd expect, including the ability to manage playlists. Like all of the Simple Mobile Tools apps, Music Player has a clean and pleasing interface that is easy to use. Music Player @ F-Droid.

 

Offline CalendarOffline Calendar is a companion for the default calendar app that allows it to work offline without having to rely upon a third party to store (spy on) your personal data, however since your calendar data is stored locally, no syncing is possible. Offline Calendar @ F-Droid.

 

Omni NotesOmni Notes is a really nice app for creating different kinds of notes, including checklists, text, image and audio notes. I use this app a lot for managing to-do lists. One nice feature it has that several others lack is the ability to re-order checklist items by drag-and-drop which is great if you want to sort stuff by priority. Omni Notes @ F-Droid.

 

Open CameraOpen Camera is a powerful, feature rich camera app for those that don't like the default camera. It supports front and rear cameras, image stabilization, manual controls, many different resolutions, auto-focus and much more. That said, the developer cannot possibly support every feature of every camera and so it may not be a good fit for some camera hardware. Open camera @ F-Droid.

 

OS MonitorOS Monitor is a handy app which allows you to monitor various aspects of the Android OS including network connections and running processes, as well as being able to view and export system logs. OS Monitor @ F-Droid.

 

OsmAndOsmAnd is a very powerful map and navigation application similar to Google Maps, however it uses Open Street Maps by default instead of the proprietary Google Maps, though it is capable of using maps from other sources. With all this power comes a ton of configuration options and it can be extended even further with plug-ins, so expect to fool around with it for a while in order to make efficient use of it. Its features include GPS voice guided navigation, GPS status, favorites, POI display, adding audio and video clips to locations and much more. It also works offline so you don't need a data connection to use it. There is both a free and donate version of OsmAnd and it appears that the version currently published on F-Droid is the fully featured one. OsmAnd @ F-Droid.

 

Privacy BrowserPrivacy Browser, as the name implies, is a privacy oriented web browser that is also focused on security. This slick browser makes it very easy to allow or disallow web storage, JavaScript and cookies on a per-site basis as well of many other options. Privacy Browser @ F-Droid.

 

Sensor ReadoutSensor Readout can access many of your devices sensors, some of which you may not know it had, and output the raw data in a scalable graph form. It's an interesting little app that may not have much use for most people, but i think the acceleration data could be useful to those who want to minimize vibration in machines like a multi-rotor aircraft or just about anything else that vibrates too much. Sensor Readout @ F-Droid.

 

UnitsUnits is a very powerful calculator and unit conversion app for converting from one unit of measure to another, such as from inches to centimeters. If you would rather something simpler, but still comprehensive, try Unit Converter Ultimate below. Units @ F-Droid.

 

Unit Converter UltimateUnit Converter Ultimate is another nice conversion app with lots of predefined conversion formats. Though it lacks a calculator and the powerful syntax of Units, it is still quite comprehensive. Unit Converter Ultimate @ F-Droid.

 

wXwX may be the most comprehensive (and complex) weather app for Android on this side of the Milky Way. Trust me when i tell you it is not for the faint of heart as there are so many screens, widgets and options (hundreds?) it's overwhelming. Although wX is obviously oriented toward very serious weather geeks (think meteorologists, storm chasers), i like it because it has the ability to display several kinds of animated radar maps and it doesn't spy on you. The developer seems like a great guy too. wX @ F-Droid.

 

Auroa StoreAurora Store is a Google Play Store alternative that can list, download, install and update apps from the Play Store without having to create a Play Store account. From the official description, "[...] using Aurora you can download apps, update existing apps, search for apps, get details about app tracker & adware and much more. You can also Spoof your Device Information, Language and Region to get access to the apps that are not yet available or restricted in your Country or Device.". You should probably only use this if, like me, you do not have the Play Store (GAPPS) installed and the app you want is not available on F-Droid and you realize the privacy and security risks of downloading apps from the Play Store.Aurora Store @ F-Droid.

Electronic Voting Machine Fraud

This is a cursory examination of electronic voting machine fraud and the companies facilitating the manipulation of the results.

This article was last updated on [date]

It has become clear to me that it may no longer be possible to vote our way out of this messes we find ourselves in regarding politics and societal issues. Much of the voting process has been put into the hands of a few private corporations of which only two, Election Systems and Software and Diebold Election Systems, provide the vast majority of the voting hardware, software and services. Two additional corporations that play a large role are Sequoia and Hart Intercivic. All of these companies have been implicated in multiple instances of fraud and other illegalities, the following representing only a fraction:

Hundreds more instances have been cataloged by Black Box Voting.

Electronic voting machines are in use everywhere and the vast majority of voters, at least in the U.S., are forced to use them. As with any electronic device, they are susceptible to hacking and in some cases seem to be intentionally designed to be hacker friendly.

While many may appreciate their right to elect our representatives, let us not fool ourselves; if the outcome of elections in the 21st century can be, and in fact are manipulated, then we must ask ourselves, how it is that we can reasonably expect to effect change when votes are registered by insecure electronic voting machines and then counted in secret.

Forget about the alleged Russian meddlers that the mainstream media entertains you with. We have far more serious problems. The following is a video of Clint Curtis, a computer programmer at the time, testifying during a Senate hearing that a), computer programs exist to manipulate the vote count of electronic voting machines, b), that it is trivial to write one and c), that he himself was paid to write such a program for Tom Feeney, a Florida politician:

In the article, Voting Machine Company Admits Installing Vulnerable Remote-Access Software, we read:

One of the nation’s largest voting machine vendors, Election Systems & Software (ES&S), has admitted to installing vulnerable remote-access software on some of its election management systems (EMSs) equipped with modems and sold to states between 2000 to 2006.

In a letter to Sen. Ron Wyden (D-OR), written this past April and recently obtained by Motherboard, ES&S disclosed that it installed pcAnywhere — a third-party remote-access software produced by antivirus and cybersecurity software company Symantec — on some of its EMS workstation machines.

A 2018 article, Voting Machines — Unregulated, Unverifiable, Easy to Hack, says the following:

In computer terms, many voting machines are antiques that have been in use for decades. A person with nefarious motives and access to these machines could change the results without anyone knowing, because there are no real safeguards in place.

At the Def Con cyber conference earlier this year, experts pronounced that seven models of voting machines — all still in use around the country — were highly vulnerable to hacking. One, the Express Poll-5000, actually comes with the root password “password� — breaking the one password rule even the least tech-savvy person is aware of.

Just three companies — Dominion Voting Systems of Denver, ES&S of Omaha, Nebraska, and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the voting machines used in the US. Critics claim that these firms favor convenience over security, making it both easier to manipulate the machines and harder to detect such manipulation.

Watch this week’s video to learn more.

https://www.youtube.com/watch?v=zH3sHaX9NnM

For a great deal more on the absurdity of electronic voting machines, i highly suggest watching the very informative documentary, Hacking Democracy:

Firefox Extensions - My Picks

Mozilla Firefox is a popular web browser that is easily extended with add-ons, of which there are literally thousands. These are my favorites...

Mozilla Firefox is a popular, extensible, open source (mostly) web browser that is highly configurable and easy to use. Somewhat bare out of the box however, its functionality is easily extended with add-ons, or 'extensions' if you prefer, of which there are many thousands in the Mozilla add-on repository at addons.mozilla.org (AMO).

Beware

AMO Malware
A typical day at the Mozilla Firefox Add-ons repository, 2019.

With so many "free" add-ons, the unsuspecting user might be tempted to install lots of them, however i would strongly suggest installing only those you really like or need since the potential to break things and compromise browser security and your privacy increases with every add-on you install.

Another problem is unethical developers who include unwanted and unnecessary functionality which is not relevant to the primary purpose of the add-on. Often this results in data collection, tracking your web activities or worse, all of which i categorize as malware.

The problem of malware at AMO has grown exponentially as a result of a very flawed automated review process for add-ons and the company's move to the WebExtension API which made it easy for unethical developers who have infected the Google Chrome Store to port their garbage to Firefox. Indeed, probably at least half of the add-ons at AMO are garbage. Although the WebExtensions are greatly limited as opposed to the older XUL/XPCOM extensions, tracking, data collection and advertising are permitted and, on occasion, far more dangerous add-ons escape detection.

Add-on selection guidelines

  • You've been warned! Many extensions will be accompanied by a warning on their AMO pages which indicates that the extension is not monitored by Mozilla and therefore is more risky to install. While monitored extensions (those with a 'recommended' label) are scrutinized more carefully and are likely to be more trustworthy in general, there are many others which are perfectly fine to install as long as you trust the developer and/or review the code yourself.
  • Tool-bar or FOOL-bar? Be very wary of all tool-bar add-ons since many of these contain 3rd party spyware/malware components for monetization purposes.
  • Who the hell are you??? Always check to see what other add-ons the developer has created and how those are rated. Be wary when the developer is named as a company and not an individual, or when their name is anonymous, such as "Firefox user" followed by a random string of numbers. See what kind of content is on the developers website if they link to one and look for marketing hype or unethical activity. Also be wary of developers that make it difficult or impossible to contact them or submit bug reports.
  • The 0-day 'bonus'. Never install newly released add-ons from a developer you don't trust, especially if it's their only add-on. Mozilla uses a deeply flawed automated system to evaluate add-ons, so wait at least a few days until others have had a chance to review it or flag it. If the add-on quickly disappears or gets poor reviews, be thankful you didn't take the bait.
  • When "free" isn't. Always check the software license and be wary of developers who use a restrictive license. Most ethical developers will use a liberal, open source license, such as the General Public License (GPL) or the Mozilla Public License (MPL).
  • 'We care about your privacy' ... LOL. If an add-on has a privacy policy, read it and see what data the add-on may collect, where it's sent and how it's used. In general, if the document is a wall of text (long), it's probably a poor privacy policy.
  • Yes it can/no it can't. The Mozilla add-on website lists the permissions that add-ons require, though there seems to be some major problems at this time in that all permissions used by an add-on may not be listed, or permissions which the add-on does not use may be listed, so don't trust this completely. That said, look for permissions that seem unnecessary given the expected functionality of the add-on.
  • What's under the hood? In general it's best to avoid developers that attempt to hide their source code. Most ethical developers will publish their source code on platforms like GitLab, GitHub or Codeberg where people can submit proper bug reports and feature requests. In such cases there is usually a homepage and/or support link on the add-on page, or a link somewhere in the add-on settings, menus, etc., that leads to the code repository. If the source code is not published, you can still view it by decompressing the add-on or by using the excellent Extension source viewer (CRX Viewer) add-on. One thing you should always check is the extensions manifest.json file and you don't have to be a geek to do this. Open the address about:debugging#/runtime/this-firefox in Firefox (or just remember the address about:about from where you will find the debugging page) and click on the 'Manifest URL' link for the extension you want to inspect. What you want to look for are any network links for unexpected addresses. For example, an add-on like Maximize All Windows (Minimalist Version) only modifies the behavior of Firefox, therefore there shouldn't be any remote addresses in the manifest. On the other hand, an add-on like uBlock Origin needs to communicate with every tab you open, as well as be able to download fresh filter lists and so on, and so its manifest contains http://*/* , https://*/* . and <all_urls> . Other add-ons may be dedicated to a single website, such as BitChute, and so bitchute.com should be the only remote address in the manifest.
  • He said, she said. Always read the user reviews to see how well an add-on is liked and be wary if it is rated 3 stars or less, or not rated at all, or was rated highly by only a few people. Sometimes a developer will be the first to "review" their add-on, giving it 5 stars. Regardless of the rating however, always check the comments of the people that gave it the lowest rating to see if their gripes seem legitimate and whether they were addressed. That said, there are many add-ons that have been rated very highly by hundreds or thousands of people that contain malware, so don't give too much weight to user ratings alone.
  • But EVERYBODY'S using it! Many developers of hugely popular add-ons have been contacted by malware distributing 3rd parties wanting to buy their add-on or strike a deal with them. Adblock Plus by Eyeo GmbH (Wladimir Palant) is used by millions of people, yet it is a glaring example of an unethical developer who created an ad blocking extension which allows ads by default. For larger entities, Eyeo GmbH charges advertisers 30% of the revenue from Adblock Plus users who click the ads, so not only does Adblock allow ads, it's also spying on its users. Giorgio Maone, the developer of the hugely popular NoScript add-on, engaged in similar chicanery a while back.
  • Should i or shouldn't i? If you're not sure whether you'll like an add-on, you can test it by downloading the .xpi file, then opening about:debugging#/runtime/this-firefox in Firefox and clicking the 'Load Temporary Add-on' button.
  • Automatic update mALwarE install. Automatic checking for add-on updates is fine, but always disable automatic installation of updated add-ons. Before updating an add-on, read the version history to see what has changed and make sure the privacy policy, if there is one, remains strong. The problem with automatic add-on updates is that a developer may decide to monetize their work at any time and without warning, or sell their extension to an unethical party such as the developer of Stylish apparently did. Ingo Wennemaring, the well liked developer of the once popular and much loved All-in-One Sidebar add-on, warned about this in a blog post:

It was always very important for me to be honest and fair to the users. I had very good offers to sell the extension, but I didn't want to see that AiOS turn into adware or spyware.

Lastly, i would strongly suggest avoiding any add-on that asks for or requires personal information or other data which could be used to identify, track, or profile you, or which could be monetized in any way. Such extensions include, but are not limited to, those which promote coupons, discounts, or have anything to do with shopping, some form fillers which automatically fill in website forms, those which store data remotely, including in the "cloud" such as many password, bookmark and synchronization related add-ons, cryptocurrency, banking and other financial related add-ons, site specific add-ons created by corporations or other entities to promote a product or service and many VPN (Virtual Private Network) add-ons.

Regarding VPN add-ons, there are 173 of them at the time of this writing and most of them are highly suspect, yet millions of clueless people are using them. Furthermore, a VPN add-on for a web browser may protect only the browser while leaving all other network traffic unprotected, such as email if you use a local email client and, potentially, DNS look-ups. If you want to use a VPN, and i would certainly recommend considering it, it should be incorporated at the system level or, even better, at the router level.

Add-ons

ClearURLs by Kevin R. [privacy/security]

ClearURLs replaces Neat URL as my preferred link cleaner. ClearURLs removes many tracking parameters from links you click, such as the Google utm_* garbage which is used to track where you go on the web. Unlike all of the other link cleaners i've seen and used, ClearURLs doesn't include a static list of parameters, nor does it have any options or whitelist that you need to mess with. This neat little extension pulls a file from the developers GitLab repository which negates having to update the extension when there's a change to the list of parameters. Though i was sure i was going to miss the ability to whitelist certain domains, i have yet to see anything break because of this extension.

Cookie AutoDelete by CAD Team [privacy/security]

Cookie AutoDelete, or CAD for short, is a storage cleaner that can automatically clean local storage, indexedDB storage, plugin storage, workers, cache and cookies automatically on a per-host basis when you close the last tab for the host, or when the browser is restarted. CAD offers quite a lot of options yet is simple to use, requiring little or no interaction once the user whitelists or greylists the domains for which they want to retain storage items.

Caveats: May break some websites, however the add-on includes whitelist and greylist functionality.

CSS Exfil Protection by Mike Gualtieri [privacy/security]

CSS Exfil Protection prevents a certain CSS exploit that can be used to steal data from webpages.

Caveats: Could potentially break some websites, though it is easy to disable the add-on from its toolbar icon.

Dark Background and Light Text by Mikhail Khvoinitsky [enhancement]

Dark Background and Light Text replaces Dark Reader as my preferred add-on for darkening the entire web. These 'darkify' add-ons, of which there are many, change the colors used by all websites to a darker theme and this one seems to be the best of those i have tested and i've tested many.

If you want this extension to work on domains owned by Mozilla, such as addons.mozilla.org, you will need an extension that can modify HTTP headers, such as simple-modify-headers by Didierfred. The header to modify is content-security-policy and the value is style-src . You want to set the 'Action' to 'Delete' and the 'Apply on' setting to Response'. The 'Url Patterns' field can be set to https://addons.mozilla.org/* or, if you want to remove this header for all sites, just set it to an asterisk ( * ).

Caveats: All of these 'dark web' add-ons fail miserably in some cases and this one is no exception, however it seems to work better overall than all of the others i've tested and it does offer a few different styles that can be assigned to specific websites when the default style fails. Due to a shortcoming in the code, this add-on cannot be disabled for local content, such as paths beginning with file:// .

Enforce Browser Fonts by Jayesh Bhoot

Enforce Browser Fonts allows one to choose whether to use the fonts specified by the website, or those that you have defined in Firefox preferences (Language and Appearance). Personally i hate when websites override my personal font choices and this extension takes care of that. Enforce Browser Fonts defaults to enabled and will remember the websites for which you disable it.

Caveats: For the privacy minded that enable privacy.resistFingerprinting , forcing the use of your preferred fonts will increase the likelihood of your browser being uniquely identified. It can also uglify some websites.

Extension source viewer by Rob W [enhancement]

Extension source viewer is a handy and well thought out utility to quickly view the source code of a Firefox extension right from the Mozilla add-ons website without having to download and unpack it manually. The extension has the ability to search the contents of the files in the source code by prefixing the search with ' ! '.

Caveats: For advanced users.

FireMonkey by erosman [enhancement]

FireMonkey is a lightweight utility used to inject JavaScript and/or CSS styles into pages. Unlike Greasemonkey and other add-ons of this type, FireMonkey respects your privacy.

Caveats: For advanced users. Installing user scripts without reviewing the code can present a security and/or privacy risk. While this holds true for extensions as well, user scripts are generally not scrutinized to the degree that extensions are when they are download from Mozilla.

Flagfox by Dave G [enhancement]

Flagfox is a neat utility that adds an icon to the address bar which represents the flag of the country in which the web server is located. When the icon is right-clicked, a context menu is revealed with many more tools, such as a WHOIS lookup, URL shortening services and more. You can also add your own services.

Caveats: If you choose to display the menu icons, they are not stored locally and have to be fetched the first time you open the menu which some might see as a privacy issue.

Format Link by Hiroaki Nakamura [enhancement]

Format Link offers flexible solutions for copying content and formatting it in different ways, such as HTML, markdown, plain text, , etc., before pasting it somewhere. For example, i use it a lot to copy a linked headline/page title and excerpt from articles that i paste in my News Bytes posts. I don't like it as much as Link Text and Location Copier, however that add-on is unmaintained and bugs are a problem.

Caveats: Format Link is a little buggy and needs some attention, but it's still a better solution than Link Text and Location Copier. If you have trouble copying content, try pausing for just a second after initiating Format Link. I've found that if you switch tabs too soon, the content may not be placed on the clipboard.

LocalCDN by nobody42 [privacy/security]

LocalCDN, a fork of Decentraleyes, is a must-have privacy enhancing add-on that has the additional benefit of decreasing the load time for many websites which depend on 3rd party Content Delivery Networks (CDN) for various functionality. It accomplishes this by storing and loading several common JavaScript and font libraries locally instead of having to fetch them from the server. Note that LocalCDN is probably not needed if privacy.firstparty.isolate is enabled.

Caveats: Could potentially break some websites, though this seems to happen very rarely in my experience. There are 'Filter HTML source code' and whitelist options to address such problems.

Mark-It by Matt [enhancement]

Mark-It is a simple and very handy add-on that replaces your new tab page with one that allows you to write notes in markup format.

mozlz4-edit by Siarhei Kuzeyeu [enhancement]

mozlz4-edit allows one to edit, format and otherwise manipulate several types of compressed files including the search.json.mozlz4 file which is where Firefox stores all of its search engine plugins. If this is too much for you, try the Search Engines Helper add-on below.

Caveats: For advanced users.

Privacy-Oriented Origin Policy by claustromaniac [privacy/security]

Privacy Oriented Origin Policy (POOP) helps protect your privacy by preventing Firefox from sending Origin headers, though how it works is configurable.

Caveats: For advanced users. May break some websites, though it is easily disabled and sites can be whitelisted. There is a lengthy discussion about what led to the development of this add-on on GitHub if you're interested.

Privacy Redirect by Simon Brazell [privacy/security]

Privacy Redirect redirects requests to several privacy-hating platforms to their privacy-friendly alternatives. YouTube videos, including embedded, can be redirected to several alternatives, as can Twitter, Bibliogram and Google Maps requests.

Caveats: Sometimes the requested alternative service may be overloaded or down, however you can always switch to another provider very quickly from the toolbar icon.

Redirector by Einar Egilsson [enhancement]

Redirector automatically redirects selected pages, links and more to another resource of your choosing. For some examples of how you can use Redirector, see the Redirecting this to that section of the Firefox Tweaks and Fixes and Styles and Things page.

Reverse Image Search by Andreas Bielawski

Reverse Image Search is a privacy friendly add-on used to find different versions of a given image using 3rd party services such as TinEye. Reverse image searching is a great way to find higher resolution versions of an image or to find when an image may have first been published to the web, the latter of which can be beneficial for researchers. Reverse Image Search also allows to add custom services to its menu.

RSS Preview by Aurelien David [enhancement]

RSS Preview simply displays a styled and formatted version of news feeds like Firefox used to do before the geniuses at Mozilla removed it. In addition it has an option to provide your own CSS. Here's the CSS i use if you'd like a dark theme:

custom CSS
html {
    font: unset;
    background-color: rgb(0, 0, 0);
    color: rgb(252, 252, 252);
}

#feedBody {
    background-color: black;
    color: white;
}
h2 {
    color: lightgray;
}
.enclosures {
    background-color: rgb(22, 31, 56);
}
.entrytitle {
    color: #97f674 !important;
}

Scroll Up Folder by Bruce Bujon [enhancement]

Scroll Up Folder adds an icon in the address bar that, when clicked, opens a list of the segments of the current document address. Clicking the list items makes it really easy to navigate up to a higher level of the address without having to manually edit it.

Search Engines Helper by Soufiane Sakhi

Search Engines Helper makes it really easy to add, import and export custom search engines for Firefox. It also allows using base64 code (data URLs) for the site icons.

simple-modify-headers by Didierfred

simple-modify-headers allows one to modify request and response headers. For example, i use this add-on to remove the style-src policy of the Content Security Policy (CSP) response header for websites that prevent CSS injection (addons.mozilla.org being one of them).

Caveats: For advanced users only! It is very easy to compromise security and break things with this add-on.

Skip Redirect by Sebastian Blask [privacy/security]

Redirects sometimes happen when you click on a hyperlink expecting to go directly to the destination and, instead, your request is passed through an intermediary. Redirects are often used to track your browsing history or display ads before you are forwarded to the target domain. Skip Redirect simply tries to bypass this annoying behavior. I would suggest keeping the notification enabled when Skip Redirect does its thing as this makes it easy to troubleshoot a problem.

Caveats: May break the functionality of some websites in which case they can be added to a whitelist.

Smart RSS Reader by zakius [enhancement]

Smart RSS Reader is a 3-pane news feed reader and a pretty good one at that. There are some little niggles with it and it's missing some features, but it functions quite well as a basic feed reader and the developer is friendly and open to suggestions.

While there is no default dark theme for Smart RSS yet, it does have an option to add your own CSS. Here's my CSS for a dark theme. This works for the vertical 3-pane layout:

Smart RSS Reader dark theme

/*
 * Smart RSS Reader - dark theme for 3-pane layout |feeds|titles|content| (30-DEC-2020)
 */

/*
 * GLOBAL
 */
html, body {
    color: lightgray;
    background: #2f2f2f;
}
.context-menu {
    background: black;
}
.region:not(.focused) .selected {
    background: black;
}
a {
    color: lightgreen;
}
#properties {
    background: black !important;
}
#properties input, #properties select {
    background: #67ff91 !important;
}

/* 
 * TOP TOOLBAR
 */
.toolbar {
    background: lightgreen;
}
.toolbar > .button {
    border: 1px solid #2f2f2f;
}
.input-search {
    background: black;
    color: white;
}
input[type="search"] {
    max-width: 260px;
    width: 260px;
    border: unset;
}

/*
 * FEEDS PANE
 */
.has-unread .source-title {
    font-weight: unset;
}
.source-title {
    font-size: unset;
}
.source-counter {
    color: black;
    background: lightgreen;
}
.sources-list-item {
    font-size: unset;    
}
.sources-list-item.selected:hover .source-title {
    color: white;
}
#indicator-progress {
    background: black !important;
}
#indicator-stop {
    background-color: red !important;
}

/*
 * TITLES PANE
 */
 .date-group {
    background: black;
}
.item-title {
    font-size: unset;
}
.full-headline > .item-title {
    white-space: break-spaces !important;
    overflow: hidden;
}
#article-list > .unvisited, .unvisited .articles-list-item-author {
    color: lightgray;
}
#article-list > .unread {
    font-weight: normal;
    color: lightgreen;
}
#article-list > .region:not(.focused) .selected {
    background: #2f2f2f;
    border-bottom-color: unset;
}
#article-list > .selected * {
    color: lightgray;
}
#article-list .item-author {
    color: darkgray;
    font-weight: normal;
}
#article-list .item-date {
    color: darkgray;
}

/*
 * CONTENT PANE
 */
#content h1 {
    color: #fdfdfd;
    font-size: 1rem;
    max-height: unset;
}
#content > header p {
    color: darkgray;
    padding-bottom: 10px;
}
#content > header .pin-button {
    opacity: 1;
}
#smart-rss-article-body {
    color: white;
    background: #2f2f2f;
    font-family: unset;
    font-size: unset;
    line-height:1.3;
}
#smart-rss-content > .more-link {
    color: lightgreen;
}
#smart-rss-content-footer {
    border-top: 2px dashed darkgray;
    margin-top: 20px;
}
#smart-rss-content-footer a {
    background: #2f2f2f;
}

Stylus by Armin Sebastian [enhancement]

Stylus is used to write, store and inject custom CSS styles into websites, or even the entire web if you wish. Though you can use FireMonkey for this, working with Stylus is so much nicer. Note: Do not use Stylish, a similar add-on which the developer sold to an unethical party.

Caveats: For advanced users that have at least a basic knowledge of CSS.

uBlock Origin by Raymond Hill [privacy/security]

uBlock Origin is a superior content filter (or firewall, if you like) that can replace several other content/ad blockers including Adblock Plus/Edge, NoScript, etc.. It is capable of using the same filter lists as Adblock Plus/Edge as well as many more that they cannot. Two of the most welcome differences with uBlock Origin is that it does not slow page loading to any noticeable degree and it uses less memory then the competition. Another major advantage is that it can block both 1st and 3rd party requests for images, scripts and frames when configured to use its advanced mode. See my Firefox Configuration Guide for Privacy Freaks and Performance Buffs article for more information regarding uBlock Origin. Lastly, use only uBlock Origin by Raymond Hill and not any other ripoff.

Caveats: For advanced users. As with any content filtering extension, uBlock Origin has the potential to break website functionality until it is configured correctly.

uMatrix by Raymond Hill [privacy/security]

uMatrix is another powerful content blocker by Raymond Hill and though it is similar to uBlock Origin, it offers more granular control like blocking cookies, CSS, images, plug-ins, scripts, XHR, frames and more. You can use uMatrix and uBlock Origin together. See my guide, Firefox Configuration Guide for Privacy Freaks and Performance Buffs, for further information.

Caveats: For advanced users. As with any content filtering extension, uMatrix has the potential to break website functionality until it is configured correctly.

The development of uMatrix was halted as of September, 2020. however i suspect it is likely that someone else will pick it up.

Web Archives by Armin Sebastian [enhancement]

Web Archives makes it easy to find archived version of webpages. It is fairly configurable, though it does not have an option to add your own archive resources, nor does it have an option to send a webpage to an archive, however i find the latter unnecessary since the archive sites i use allow you easily archive a page if one isn't isn't found.

Troubleshooting add-on related issues

See Firefox Tweaks and Fixes and Styles and Things.

Listing removed add-ons

While i'm sure there's a more geeky way of listing extensions which one has removed, this one works for me: In your Firefox profile folder, navigate to /extensions/staged and there should be folders with the names of the removed extensions. You can delete this folder if you like.

Doing it without an add-on

The fewer add-ons you install, the better, and there's a lot of things you can do to customize Firefox without add-ons.

Enhancing privacy and security

See: Firefox Configuration Guide for Privacy Freaks and Performance Buffs and The Firefox Privacy Guide For Dummies!

More tweaks

See:Firefox Tweaks and Fixes and Styles and Things

Giving back

If you like an add-on, or any other free and open source software, please donate to the developer. Trust me when i tell you that most developers of free software usually receive little or nothing for all the hours of hard work and support they provide. Developers are usually very appreciative of a donation regardless of how small it may be.

Recent changes

This list contains only the most recent changes

  • removed HTTPZ - this shouldn't be needed anymore since Firefox v83 (note that dom.security.https_only_mode must be enabled).
  • removed Maximize All Windows (Minimalist Version) - no longer needed, at least not on my system (KDE window rules can now be used)
  • replaced Toggle Fonts with Enforce Browser Fonts
  • updated Smart RSS Reader CSS code